ASA-2019-00667 – Git: Git does not refuse to write out tracked files with backlashes in filenames


Allele Security Alert

ASA-2019-00667

Identifier(s)

ASA-2019-00667, CVE-2019-1354

Title

Git does not refuse to write out tracked files with backlashes in filenames

Vendor(s)

the Git project

Product(s)

Git

Affected version(s)

Git versions 2.24.x before 2.24.1
Git versions 2.23.x before 2.23.1
Git versions 2.22.x before 2.22.2
Git versions 2.21.x before 2.21.1
Git versions 2.20.x before 2.20.2
Git versions 2.19.x before 2.19.3
Git versions 2.18.x before 2.18.2
Git versions 2.17.x before 2.17.3
Git versions 2.16.x before 2.16.6
Git versions 2.15.x before 2.15.4
Git versions 2.14.x before 2.14.6

Fixed version(s)

Git version 2.24.1
Git version 2.23.1
Git version 2.22.2
Git version 2.21.1
Git version 2.20.2
Git version 2.19.3
Git version 2.18.2
Git version 2.17.3
Git version 2.16.6
Git version 2.15.4
Git version 2.14.6

Git versions with the following commit:

mingw: disallow backslash characters in tree objects’ file names
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e1d911dd4c7b76a5a8cec0f5c8de15981e34da83

Proof of concept

Unknown

Description

Filenames on Linux/Unix can contain backslashes. On Windows, backslashes are directory separators. Git did not use to refuse to write out tracked files with such filenames.

Technical details

The backslash character is not a valid part of a file name on Windows. Hence it is dangerous to allow writing files that were unpacked from tree objects, when the stored file name contains a backslash character: it will be misinterpreted as directory separator.

This not only causes ambiguity when a tree contains a blob `a\b` and a tree `a` that contains a blob `b`, but it also can be used as part of an attack vector to side-step the careful protections against writing into the `.git/` directory during a clone of a maliciously-crafted repository.

Credits

Christopher Ertl (Microsoft Corporation) and Nicolas Joly (Microsoft Corporation)

Reference(s)

[ANNOUNCE] Git v2.24.1 and others
https://lkml.org/lkml/2019/12/10/905

mingw: disallow backslash characters in tree objects’ file names
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e1d911dd4c7b76a5a8cec0f5c8de15981e34da83

mingw: disallow backslash characters in tree objects’ file names
https://github.com/git/git/commit/e1d911dd4c7b76a5a8cec0f5c8de15981e34da83

Visual Studio Icon Visual Studio 2019 version 16.4 Release Notes
https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes#security-advisory-notice

CVE-2019-1354 | Git for Visual Studio Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1354

Git v2.24.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.24.1.txt

Git v2.23.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.23.1.txt

Git v2.22.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.22.2.txt

Git v2.21.1 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.21.1.txt

Git v2.20.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.20.2.txt

Git v2.19.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.19.3.txt

Git v2.18.2 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.18.2.txt

Git v2.17.3 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.17.3.txt

Git v2.16.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.16.6.txt

Git v2.15.4 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.15.4.txt

Git v2.14.6 Release Notes
https://github.com/git/git/blob/master/Documentation/RelNotes/2.14.6.txt

CVE-2019-1354
https://security.archlinux.org/CVE-2019-1354

CVE-2019-1354 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-1354

CVE-2019-1354
https://security-tracker.debian.org/tracker/CVE-2019-1354

CVE-2019-1354 in Ubuntu
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1354.html

CVE-2019-1354
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1354

CVE-2019-1354
https://nvd.nist.gov/vuln/detail/CVE-2019-1354

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: December 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.